Skip to content

ci: use npm trusted publishing #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
faraa2m merged 1 commit into from
May 20, 2026
Merged

ci: use npm trusted publishing #46

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
#
# One trigger, every artifact:
# 1. Changesets opens / merges a "Version Packages" PR. Merging it lands here.
# 2. The `release` job publishes `tokenometer` + `@tokenometer/core` to npm
# with provenance using direct `npm publish` (the
# 2. The `release` job publishes `tokenometer`, `@tokenometer/core`, and
# `@tokenometer/mcp` to npm with provenance using direct `npm publish` (the
# Changesets action's bundled publish path 404'd against this org's
# auth — see commit history). It then creates a GitHub Release on the
# new tag. The GitHub Marketplace re-publishes the Action listing
Expand All @@ -16,9 +16,16 @@
# 6. A separate `smoke-test` job runs on a fresh runner against the
# just-published versions on npm.
#
# npm publishing auth:
# Uses npm Trusted Publishing (OIDC), not long-lived tokens. Configure npm
# trusted publishers for `tokenometer`, `@tokenometer/core`, and
# `@tokenometer/mcp` with:
# owner/repo: faraa2m/tokenometer
# workflow: release.yml
# Keep `permissions.id-token: write` below; npm exchanges the GitHub OIDC
# token for a short-lived publish credential at `npm publish` time.
#
# Required GitHub repository secrets:
# NPM_TOKEN — npm Automation token (or Granular with Bypass 2FA)
# scoped to publish `tokenometer` and `@tokenometer/*`.
# VSCE_PAT — Personal Access Token from https://dev.azure.com.
# Scope: Marketplace → Manage. Skipped if absent.
# OVSX_PAT — Personal Access Token from https://open-vsx.org.
Expand Down Expand Up @@ -63,6 +70,9 @@ jobs:
node-version: '24'
registry-url: 'https://registry.npmjs.org/'

- name: Upgrade npm for trusted publishing
run: npm install -g npm@latest

- run: npm ci

- run: npm run lint
Expand Down Expand Up @@ -130,26 +140,20 @@ jobs:
working-directory: packages/core
continue-on-error: true
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Publish tokenometer (CLI)
id: publish_cli
if: ${{ steps.detect.outputs.needs_publish == 'true' }}
working-directory: packages/cli
continue-on-error: true
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Publish @tokenometer/mcp
id: publish_mcp
if: ${{ steps.detect.outputs.needs_publish == 'true' }}
working-directory: packages/mcp
continue-on-error: true
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

# Set `published` based on step outcomes, NOT registry re-check.
# npm registry has propagation lag (1-30s), so re-querying right after
Expand Down
Loading